hyperpolymath · hyperpolymath · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · chatgpt-codex-connector
diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
@@ -1,19 +1,18 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: BoJ Server Build Trigger
-
 on:
   push:
-    branches: [ main, master ]
+    branches: [main, master]
   workflow_dispatch:
-
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
           # Send a secure trigger to boj-server to build this repository
           curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke"             -H "Content-Type: application/json"             -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
         continue-on-error: true
+permissions: read-all
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -11,15 +11,13 @@
 # supported CodeQL languages.
 #
 name: "CodeQL Advanced"
-
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
     - cron: '16 7 * * 1'
-
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -32,69 +30,64 @@ jobs:
     permissions:
       # required for all workflows
       security-events: write
-
       # required to fetch internal or private CodeQL packs
       packages: read
-
       # only required for workflows in private repositories
       actions: read
       contents: read
-
     strategy:
       fail-fast: false
       matrix:
         include:
-        - language: actions
-          build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+          - language: actions
+            build-mode: none
+            # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+            # Use `c-cpp` to analyze code written in C, C++ or both
+            # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+            # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+            # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+            # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+            # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+            # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-    # Add any setup steps before running the `github/codeql-action/init` action.
-    # This includes steps like installing compilers or runtimes (`actions/setup-node`
-    # or others). This is typically only required for manual builds.
-    # - name: Setup runtime (example)
-    #   uses: actions/setup-example@v1
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      # Add any setup steps before running the `github/codeql-action/init` action.
+      # This includes steps like installing compilers or runtimes (`actions/setup-node`
+      # or others). This is typically only required for manual builds.
+      # - name: Setup runtime (example)
+      #   uses: actions/setup-example@v1
 
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+      # If the analyze step fails for one of the languages you are analyzing with
+      # "We were unable to automatically build your code", modify the matrix above
+      # to set the build mode to "manual" for that language. Then modify this step
+      # to build your code.
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      - name: Run manual build steps
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-    # If the analyze step fails for one of the languages you are analyzing with
-    # "We were unable to automatically build your code", modify the matrix above
-    # to set the build mode to "manual" for that language. Then modify this step
-    # to build your code.
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-    - name: Run manual build steps
-      if: matrix.build-mode == 'manual'
-      shell: bash
-      run: |
-        echo 'If you are using a "manual" build mode for one or more of the' \
-          'languages you are analyzing, replace this with the commands to build' \
-          'your code, for example:'
-        echo '  make bootstrap'
-        echo '  make release'
-        exit 1
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
-      with:
-        category: "/language:${{matrix.language}}"
+        if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          echo 'If you are using a "manual" build mode for one or more of the' \
+            'languages you are analyzing, replace this with the commands to build' \
+            'your code, for example:'
+          echo '  make bootstrap'
+          echo '  make release'
+          exit 1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        with:
+          category: "/language:${{matrix.language}}"
+permissions: read-all
diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml
@@ -11,13 +11,13 @@ jobs:
           # Check for package manager files
           HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
           HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1)
-          
+
           # Block new package-lock.json, yarn.lock, Gemfile.lock, etc.
           NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true)
           if [ -n "$NEW_LOCKS" ]; then
             echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility."
           fi
-          
+
           # Prefer Guix, fallback to Nix
           if [ -n "$HAS_GUIX" ]; then
             echo "✅ Guix package management detected (primary)"
@@ -26,5 +26,6 @@ jobs:
           else
             echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds"
           fi
-          
+
           echo "✅ Package policy check passed"
+permissions: read-all
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -1,38 +1,31 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
 name: Code Quality
 on: [push, pull_request]
-
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
       - name: Check file permissions
         run: |
           find . -type f -perm /111 -name "*.sh" | head -10 || true
-
       - name: Check for secrets
         uses: trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # main
         with:
           path: ./
           base: ${{ github.event.pull_request.base.sha || github.event.before }}
           head: ${{ github.sha }}
         continue-on-error: true
-
       - name: Check TODO/FIXME
         run: |
           echo "=== TODOs ==="
           grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.rs" --include="*.res" --include="*.py" --include="*.ex" . | head -20 || echo "None found"
-
       - name: Check for large files
         run: |
           find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
-
       - name: EditorConfig check
         uses: editorconfig-checker/action-editorconfig-checker@4054fa83a075fdf090bd098bdb1c09aaf64a4169 # main
         continue-on-error: true
-
   docs:
     runs-on: ubuntu-latest
     steps:
@@ -43,9 +36,10 @@ jobs:
           [ ! -f "README.md" ] && [ ! -f "README.adoc" ] && MISSING="$MISSING README"
           [ ! -f "LICENSE" ] && [ ! -f "LICENSE.txt" ] && [ ! -f "LICENSE.md" ] && MISSING="$MISSING LICENSE"
           [ ! -f "CONTRIBUTING.md" ] && [ ! -f "CONTRIBUTING.adoc" ] && MISSING="$MISSING CONTRIBUTING"
-          
+
           if [ -n "$MISSING" ]; then
             echo "::warning::Missing docs:$MISSING"
           else
             echo "✅ Core documentation present"
           fi
+permissions: read-all
diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
@@ -5,19 +5,16 @@
 # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme
 
 name: RSR Anti-Pattern Check
-
 on:
   push:
     branches: [main, master, develop]
   pull_request:
     branches: [main, master, develop]
-
 jobs:
   antipattern-check:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
       - name: Check for TypeScript
         run: |
           if find . -name "*.ts" -o -name "*.tsx" | grep -v node_modules | grep -q .; then
@@ -26,7 +23,6 @@ jobs:
             exit 1
           fi
           echo "✅ No TypeScript files"
-
       - name: Check for Go
         run: |
           if find . -name "*.go" | grep -q .; then
@@ -35,7 +31,6 @@ jobs:
             exit 1
           fi
           echo "✅ No Go files"
-
       - name: Check for Python (non-SaltStack)
         run: |
           PY_FILES=$(find . -name "*.py" | grep -v salt | grep -v _states | grep -v _modules | grep -v pillar | grep -v venv | grep -v __pycache__ || true)
@@ -45,23 +40,20 @@ jobs:
             exit 1
           fi
           echo "✅ No non-SaltStack Python files"
-
       - name: Check for npm lockfiles
         run: |
           if [ -f "package-lock.json" ] || [ -f "yarn.lock" ]; then
             echo "❌ npm/yarn lockfile detected - use Deno instead"
             exit 1
           fi
           echo "✅ No npm lockfiles"
-
       - name: Check for tsconfig
         run: |
           if [ -f "tsconfig.json" ]; then
             echo "❌ tsconfig.json detected - use ReScript instead"
             exit 1
           fi
           echo "✅ No tsconfig.json"
-
       - name: Verify Deno presence (if package.json exists)
         run: |
           if [ -f "package.json" ]; then
@@ -70,7 +62,6 @@ jobs:
             fi
           fi
           echo "✅ Deno configuration check complete"
-
       - name: Summary
         run: |
           echo "╔════════════════════════════════════════════════════════════╗"
@@ -81,3 +72,4 @@ jobs:
           echo "║                                                            ║"
           echo "║  Blocked: TypeScript, Go, npm, Python (non-Salt)          ║"
           echo "╚════════════════════════════════════════════════════════════╝"
+permissions: read-all
diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml
@@ -9,30 +9,31 @@ jobs:
       - name: Security checks
         run: |
           FAILED=false
-          
+
           # Block MD5/SHA1 for security (allow for checksums/caching)
           WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true)
           if [ -n "$WEAK_CRYPTO" ]; then
             echo "⚠️ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:"
             echo "$WEAK_CRYPTO"
           fi
-          
+
           # Block HTTP URLs (except localhost)
           HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true)
           if [ -n "$HTTP_URLS" ]; then
             echo "⚠️ HTTP URLs found. Use HTTPS:"
             echo "$HTTP_URLS"
           fi
-          
+
           # Block hardcoded secrets patterns
           SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["'][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true)
           if [ -n "$SECRETS" ]; then
             echo "❌ Potential hardcoded secrets detected!"
             FAILED=true
           fi
-          
+
           if [ "$FAILED" = true ]; then
             exit 1
           fi
-          
+
           echo "✅ Security policy check passed"
+permissions: read-all
diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml
@@ -13,6 +13,8 @@ on:
     # Weekly expiry check
     - cron: '0 9 * * 1'
   workflow_dispatch:
+permissions: read-all
+
 
 jobs:
   validate: